Details

    • Type: Language-Specification
    • Status: Deprecated
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Executing XPATH expressions is security-sensitive. It has led in the past to the following vulnerabilities:

      User provided data such as URL parameters should always be considered as untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injections attacks can read sensitive information from the XML document.

      This rule will create issues when the following methods are called with a string XPath which is subject to injection (non-hardcoded string):

      • System.Xml.XmlNode.SelectNodes(string)
      • System.Xml.XmlNode.SelectNodes(string, System.Xml.XmlNamespaceManager)
      • System.Xml.XmlNode.SelectSingleNode(string)
      • System.Xml.XmlNode.SelectSingleNode(string, System.Xml.XmlNamespaceManager)
      • System.Xml.XPath.XPathNavigator.Compile(string)
      • System.Xml.XPath.XPathNavigator.Evaluate(string)
      • System.Xml.XPath.XPathNavigator.Evaluate(string, System.Xml.IXmlNamespaceResolver)
      • System.Xml.XPath.XPathNavigator.Matches(string)
      • System.Xml.XPath.XPathNavigator.Select(string)
      • System.Xml.XPath.XPathNavigator.Select(string, System.Xml.IXmlNamespaceResolver)
      • System.Xml.XPath.XPathNavigator.SelectSingleNode(string)
      • System.Xml.XPath.XPathNavigator.SelectSingleNode(string, System.Xml.IXmlNamespaceResolver)
      • System.Xml.XPath.XPathExpression.Compile(string)
      • System.Xml.XPath.XPathExpression.Compile(string, System.Xml.IXmlNamespaceResolver)

      Calling these methods on subclasses of XmlNode and XPathNavigator will also raise an issue.
      Methods receiving the XPath as an XPathExpression instead of a string will not raise an exception. The goal is to highlight the place where the XPath string is compiled.

      Sensitive Code Example

      String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
      xpathNavigator.Evaluate(expression);  // Sensitive. Check if the XPATH expression is safe.
      

      Exceptions

      Hard-coded XPath strings will not raise an issue.

      xpathNavigator.Evaluate("/users/user[@name='alice']");
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: